{
    "id": "S050",
    "name": "Reference tokens must be unique with 128-bit entropy using CSPRNG",
    "description": "Reference tokens (session IDs, authorization codes, access tokens) must have at least 128 bits of entropy generated using a cryptographically secure pseudo-random number generator (CSPRNG).",
    "category": "security",
    "severity": "high",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "tokens", "entropy", "csprng", "session"],
    "examples": {
        "valid": [
            "crypto.randomBytes(16).toString('hex'); // 128-bit",
            "crypto.randomBytes(32).toString('base64'); // 256-bit",
            "uuid.v4(); // UUIDv4 has 122 bits of randomness"
        ],
        "invalid": [
            "Math.random().toString(36); // Not cryptographically secure",
            "Date.now().toString(); // Predictable",
            "userId + timestamp; // Low entropy"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures reference tokens have sufficient entropy. Minimum 128 bits recommended, 256 bits preferred for high-security applications. Use CSPRNG: crypto.randomBytes() in Node.js, SecureRandom in Java, secrets module in Python. Avoid Math.random(), timestamps, or sequential IDs.",
        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
    }
}